Welcome to Splunk Answers, a Q&A forum for users to find answers to questions about deploying, managing, and using Splunk products. Contributors of all backgrounds and levels of expertise come here to find solutions to their issues, and to help other users in the Splunk community with their own questions.

This quick tutorial will help you get started with key features to help you find the answers you need. You will receive 10 karma points upon successful completion!

Refine your search:

FireEye App Not Getting Data

0

I have installed the FireEye App for Splunk on a Deployment Server in a distributed environment but cannot get any data to come in through my universal forwarder. The FireEye CMS is configured to send notifications to the URL recommended in the FireEye App 2.0 post. Thinking that it might be DNS resolution related, I changed the hostname in the URL to the IP address for the FireEye URL. https://{IPAddress}:8089/services/receivers/simple?source=FE_Test&sourcetype=fe_xml∈dex=fe. When I look at the network packets, the FireEye CMS isn't even attempting to communicate with the Universal Forwarder. There is no firewall between the FireEye CMS and the universal forwarder. Is there something that's missing in the FireEye CMS config possibly?

People who like this

3 Answers

I figured it out. Two things were not correct in my configuration. 1. My notification URL didn't save the entire URL; it had truncated the URL after the source. So check that the URL contains the sourcetype and index values. You may actually have to apply it a few times to get it to work. 2. I created a separate local Splunk admin account named fireeye for use in the MPS notification authentication fields. I changed this back to the Splunk default local "admin" account. After these two modifications, alerts were able to be sent to the Splunk FireEye app.

I was able to avoid using the admin account. The issue I was having was that the password for the "fireeye" account was > 16 characters. The FireEye http form has a maxlength=16 on the password field. Once I adjusted accordingly I was able to log in with a specific account.

1) Does it have to run under the "admin" account? 2) Does it have to run under an account in the admin role? 3) How do we send these to a dedicated universal forwarder? Do we need anything in inputs.conf or server.conf? 4) Can the forwarder use an account created on a search head or must they be linked?

The FireEye CMS is the centralized platform for data and policy management, but it does not send the events to Splunk. Each individual MPS performs that activity. Check for activity from each FE appliance.

We have logged directly into one of our MPS's and done a test fire to the forwarder URL as noted in the FireEye setup instructions and still nothing. We can receive the xml over the wire to a syslog receiver, but it causes the syslog app to crash I'm guessing because it is in the incorrect format (xml). Thoughts on why the FireEye MPS will send over UDP 514 and not 443? I did a WinDump on the Splunk server when we fired the test xml over HTTP and it showed an error that UDP 514 was not reachable. Why is the FireEye trying to communicate to 514 when we clearly sent the test fire over 443?

I am having issues with this app as well. What I did:-Install Fireeye App in Splunk-Configure HTTP notifications per the Fireeye App instructions-Verified via tcpdump that the Fireeye appliance is sending the HTTP notifications and that the Splunk server is receiving the traffic

However, there is no data showing up in Splunk itself. A search of index="fe" shows 0 results. And the "index activity overview" page shows that indexes fe & fireeye both have a count of 0.

It looks like the splunkd_access.log shows the post request from the Fireeye appliance with a 401 code. But I have verified multiple times that it is configured with the splunk admin account and password.

Any ideas why this is not receiving the data or how to troubleshoot further?